The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

After months of inaction and even a warning from the Department of Homeland Security, Oracle has finally released a fix for yet another security vulnerability in its ubiquitous and notoriously buggy Java software. But there's already been a fix available that's remain simpler and far more effective: Kick your Java habit altogether.

Despite Oracle's new patch, which the company posted to its website Sunday--more than four months after it was informed about the bug by Polish security firm Security Explorations--Java watchers in the security industry are recommending that users give up on the endless cycle of the program's bugs and fixes and instead turn it off in their browsers for good. "Users should simply disable it," says H.D. Moore, chief security officer at the security firm Rapid7 who has tested numerous Java exploitation techniques over the last year. "The amount of utility it offers is so much smaller than the risk it creates for users. It's much safer to leave it off."

The Department of Homeland Security took the rare step of issuing a warning to users late last week that a new flaw in Java had been integrated into multiple common "exploit kits," commonly-available software that would allow cybercriminal hackers to infect users' machines with malware via a Java applet when they visit an infected website.

Apple, for its part, responded to Oracle's security failings by disabling the Java plug-in by default in all browsers on Mac OSX. Wolfgang Kandek, chief technology officer at software vulnerability analysis firm Qualys, says users of other operating systems should take the same step, only enabling Java on the rare occasions that they encounter a trusted website that requires the program. (A useful guide to uninstalling the program can be found on KrebsOnSecurity.)

Java in many ways goes against all the security trends that have made browsers harder to exploit in recent years. It still requires manual updates, despite several browsers' moves to automatically download and install new versions of themselves. And despite modern browsers' attempts to prevent websites from gaining access to a PC beyond a limited "sandbox," Java can in many cases allow attackers to escape those restrictions, access the full hard disk and making network connections with remote servers. "The attack surface is so big," Kandek says. "In many ways, you don’t want Java to be able to do all the things that it does anymore."

As for Oracle's failure to maintain the security of the software, Kandek blames Oracle's focus on its corporate customers--Java, after all, was a partly consumer-facing addition to Oracle's product line acquired along with Sun Microsystems in 2009. He expects that Oracle will eventually wake up to the need for more vigilance in quickly detecting and blocking attacks on its consumer software, just as Microsoft has done over the last decade.

If it wants to maintain Java's hold in consumers' browsers, it had better. "I don't see these attacks against Java stopping," says Kandek. "It would be great if we could all just turn it off."